Cyber security

[Fred Claus]

I'm redefining my business, and only focusing on Cybersecurity from now on. After looking at all the different frameworks, I've narrowed it down to NIST and CIS. Most of my customers being microbusinesses, I'm leaning toward CIS. Does anyone else follow this framework?

 

[Sky-Knight]

All of Microsoft's stuff is geared toward CIS.

Honestly, the framework choice is irrelevant. CMMC was created by the US Military, NIST was created by the Federal government on the civilian side with input from the NSA and the US military, CIS was created by another US Federal department and wholly civilian... and notably didn't go along with the NSA's insane idea and accept weakened encryption standards...

Then you have ISO 27001, which looks like all of the above combined with a side of PCI-DSS.

They all describe the same thing! None of them are concerned with security, all are simply models and to prove compliance you document things. I have yet to see an SMB have the budget to adhere to any of them properly.

But I do wish you luck, I closed Intouch because I hit this point, realized what it meant, tried to sell it, got laughed at... then the pandemic hit and far too many good people I know died, and the rest did the... Rob you were right! and either promptly retired, or went out of business. I'm more than a little jaded. I'm glad to be servicing all of the above for larger businesses now that actually have budgets.

If you can get a micro business to let you do this: https://www.cisecurity.org/controls/cis-controls-list That's a HUGE thing.
Though I can make a strong argument that anything less than full implementation of CIS IG1 is tantamount to suicide... but I've also been accused by people around here of securing a tricycle with Fort Knox.

I'm working on getting a CISSP (STILL), ton of history / legislation to know to get that thing. I think you'll find the study material helpful. FRSecure's annual free boot camp is coming up: https://frsecure.com/cissp-mentor-program/

 

[Fred Claus]

All of Microsoft's stuff is geared toward CIS.

Honestly, the framework choice is irrelevant. CMMC was created by the US Military, NIST was created by the Federal government on the civilian side with input from the NSA and the US military, CIS was created by another US Federal department and wholly civilian... and notably didn't go along with the NSA's insane idea and accept weakened encryption standards...

Then you have ISO 27001, which looks like all of the above combined with a side of PCI-DSS.

They all describe the same thing! None of them are concerned with security, all are simply models and to prove compliance you document things. I have yet to see an SMB have the budget to adhere to any of them properly.

But I do wish you luck, I closed Intouch because I hit this point, realized what it meant, tried to sell it, got laughed at... then the pandemic hit and far too many good people I know died, and the rest did the... Rob you were right! and either promptly retired, or went out of business. I'm more than a little jaded. I'm glad to be servicing all of the above for larger businesses now that actually have budgets.

If you can get a micro business to let you do this: https://www.cisecurity.org/controls/cis-controls-list That's a HUGE thing.
Though I can make a strong argument that anything less than full implementation of CIS IG1 is tantamount to suicide... but I've also been accused by people around here of securing a tricycle with Fort Knox.

I'm working on getting a CISSP (STILL), ton of history / legislation to know to get that thing. I think you'll find the study material helpful. FRSecure's annual free boot camp is coming up: https://frsecure.com/cissp-mentor-program/

Sky, I signed up for the FRSecure event, and I did take a look around the site. You have a point about CIS as well. After reviewing all the controls and what I typically do for microbusinesses now, I don't see them following it completely. I was just in a herbalist store that had three computers. I don't see them having different accounts for each of the three people who work on them, as well as 2FA and strictly enforced Fair use or BYOD policies.

 

[britechguy]

After reviewing all the controls and what I typically do for microbusinesses now, I don't see them following it completely.

You are a master of understatement.

 

[Sky-Knight]

Sky, I signed up for the FRSecure event, and I did take a look around the site. You have a point about CIS as well. After reviewing all the controls and what I typically do for microbusinesses now, I don't see them following it completely. I was just in a herbalist store that had three computers. I don't see them having different accounts for each of the three people who work on them, as well as 2FA and strictly enforced Fair use or BYOD policies.

Nope, but all those controls don't necessarily make sense to deploy either.

ISC2 Code of Ethics:

• Protect society, the common good, necessary public trust and confidence, and the infrastructure.
• Act honorably, honestly, justly, responsibly, and legally.
• Provide diligent and competent service to principals.
• Advance and protect the profession.

I default to educate in most circumstances, and cry when they don't listen, then die a little bit when they fall. No matter how burned out I get, I don't think I'll ever lose that.

 

[YeOldeStonecat]

We've taken the CIS framework and pushed a bit of it into all of our managed clients. It has a list of controls you need to kick in. There are spreadsheets out there avail that for example, correspond the controls with InTune config policies and ASRs in InTune.

It's good to, as part of your SOPs for managing clients, bring their network, computers, services like email...."up to snuff" and secure...using CIS benchmarks as your bar to raise up to. To us, that's why we're here with clients on managed plans...part of our task is to keep them secure, minimize their exposure/risk! We don't just want to slap our RMM agent on there, slap on an antivirus, configure a backup, and walk away.

 

[Fred Claus]

Nope, but all those controls don't necessarily make sense to deploy either.

ISC2 Code of Ethics:

• Protect society, the common good, necessary public trust and confidence, and the infrastructure.
• Act honorably, honestly, justly, responsibly, and legally.
• Provide diligent and competent service to principals.
• Advance and protect the profession.

I default to educate in most circumstances, and cry when they don't listen, then die a little bit when they fall. No matter how burned out I get, I don't think I'll ever lose that.

Yeah, that's one of the reasons I was hoping for a framework that I could say, "If you don't do these things, I can't help you". I got burned by my church. I was their IT person, and whenever I mentioned replacing a failing computer or backing up the data, the answer I got was, "It's not in our budget", even though I had a $5,000.00 budget at the time. (of course, other departments got anything they wanted). Then six months after I had been trying to get this in place, the computer failed. It was the one that held all their church records, like finances, membership, and other things. Guess who got the blame when all the data got lost.

I made them stew and fret about how the data was all gone and they had to recreate it. After everyone learned how valuable my input was, I told them I took it upon myself to have some backup so their data was not lost. Just what they did the last three days before the crash.

I down right hate it when people hire me to do a job and then don't listen to what I say.

 

[britechguy]

I down right hate it when people hire me to do a job and then don't listen to what I say.

And that's when, depending on the distance in difference of opinion, you fire a client (and, yes, even a church).

There's certain "leading of horses to water" where, whether they drink or not is not critical. But not taking backups (themselves), sorry, but hell no, for any organization.

They should thank their lucky stars they had you doing certain things to CYA, really, that ended up covering theirs. But that should NEVER be either necessary or expected.

 

[britechguy]

Yeah, that's one of the reasons I was hoping for a framework that I could say, "If you don't do these things, I can't help you".

But in order to be able to do that:
1. You need to be willing to do "these things."
2. You need to believe that they are actually necessary and beneficial in the specific situation.

I can't look at a very great many of those and even attempt to justify them for, say, my local lady who runs a quilting business out of her home. They're absolutely ludicrous in that light when taken as a whole.

Security must include "feature matching" regarding the thing(s) being secured, and why.

 

[Sky-Knight]

Yeah, that's one of the reasons I was hoping for a framework that I could say, "If you don't do these things, I can't help you". I got burned by my church. I was their IT person, and whenever I mentioned replacing a failing computer or backing up the data, the answer I got was, "It's not in our budget", even though I had a $5,000.00 budget at the time. (of course, other departments got anything they wanted). Then six months after I had been trying to get this in place, the computer failed. It was the one that held all their church records, like finances, membership, and other things. Guess who got the blame when all the data got lost.

I made them stew and fret about how the data was all gone and they had to recreate it. After everyone learned how valuable my input was, I told them I took it upon myself to have some backup so their data was not lost. Just what they did the last three days before the crash.

I down right hate it when people hire me to do a job and then don't listen to what I say.

That never changes as far as I know. Infrastructure is boring, and it's never important to anyone else until it's unusable.

 

[britechguy]

That never changes as far as I know. Infrastructure is boring, and it's never important to anyone else until it's unusable.

Ain't it the truth! Not just in computing, either!

Infrastructure is never "a sexy topic" and there is this belief that because "it's always been there" that it "will always be there" with no attention paid whatsoever.

"Those who do not learn from history are doomed to repeat it," has probably been the most true when it comes to computing infrastructure and even more generally. Most scams are well-worn "oldies, but goodies" that have been widely reported upon, many times, but people just don't catch on.

 

[YeOldeStonecat]

Cool timing for this email...
SkyKick...who we sometimes used to use for migrations, and who we onboarded about a year ago for centralized 365 tenant management...I got this email today...

 

[Sky-Knight]

Yeah the entire industry is jumping on the CIS controls wagon which annoyingly enough is diluting the advertising and messaging to the point where talking about CIS isn't productive from a marketing perspective anymore.

 

[alexsmith2709]

I tried focusing my main part of the business on cyber security, but rarely did anyone listen/want to implement what I recommended. I was getting burned out quick and losing interest in nobody listening and blaming me when things went wrong or got more difficult (MFA is far too difficult and annoying for some people it seems ), so now I've closed my business and am starting work for a cyber security company. I can now focus on just the bits I need to and continue my learning. Most of my clients started panicking when I told them I was starting other employment, but they are no longer my problem!

Even if you cant follow every point of the framework, usually you can do some of it, which mostly helps. As already stated, most of the frameworks are the same (at least the underlying sections of it) and they all want to achieve the same thing so there isnt really a wrong answer. Mix and match, use common sense, do your best, but when doing this, dont even mention a framework, otherwise, as @Sky-Knight says, its suicide as they'll think you've implemented every stage and they are "secure".

 

[Fred Claus]

You guys all make good points. I guess I should use the framework as a guide for me when developing my package. Most of my customers like you say won't even care. @YeOldeStonecat can you send that email to me? I'd love to read the article.

 

[YeOldeStonecat]

You guys all make good points. I guess I should use the framework as a guide for me when developing my package. Most of my customers like you say won't even care. @YeOldeStonecat can you send that email to me? I'd love to read the article.

@Fred Claus M me your email addy....

 

[Sky-Knight]

Are you lucky or secure?

Businesses on the S side of SMB are the former universally, and do not want to think about the latter. They just go out of business.
Businesses on the M side of the SMB start to worry, and usually get some budget in there for security.
Businesses moving into the enterprise scale have no choice, and have functional budgets for these things, along with compliance checks etc.

But a one man shop can only reasonably service the S side stuff. You need a crew of at least 5 to do the M stuff properly, and start to scratch at the smaller of the enterprise clients. But you'll scale up to hundreds to handle full enterprise properly.

This crap is hard!

 

[britechguy]

Businesses on the S side of SMB are the former universally, and do not want to think about the latter. They just go out of business.

You think that if you repeat this enough it will be true, but it just isn't. Micro-businesses have been the backbone of our economy for longer than I've been alive, and still exist and thrive.

They do not have the same requirements as medium and large businesses do, in any respect, including security. It's a different ball game whether you wish to acknowledge it or not.

If they're well run for the service(s) they provide, they don't "just go out of business" because they don't secure things as you think they should.

 

[Fred Claus]

You think that if you repeat this enough it will be true, but it just isn't. Micro-businesses have been the backbone of our economy for longer than I've been alive, and still exist and thrive.

They do not have the same requirements as medium and large businesses do, in any respect, including security. It's a different ball game whether you wish to acknowledge it or not.

If they're well run for the service(s) they provide, they don't "just go out of business" because they don't secure things as you think they should.

I agree 100%. My Doctoral dissertation was on malware detection in microbusinesses. The needs of a company with 1-10 employees is far different than a company with 75-100 employees.